Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-2878

Summary
Assigner-ProgressSoftware
Assigner Org ID-f9fea0b6-671e-4eea-8fde-31911902ae05
Published At-25 Feb, 2026 | 14:45
Updated At-27 Feb, 2026 | 17:06
Rejected At-
Credits

Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ProgressSoftware
Assigner Org ID:f9fea0b6-671e-4eea-8fde-31911902ae05
Published At:25 Feb, 2026 | 14:45
Updated At:27 Feb, 2026 | 17:06
Rejected At:
▼CVE Numbering Authority (CNA)
Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

Affected Products
Vendor
Progress Software CorporationProgress Software
Product
Telerik UI for ASP.NET AJAX
Default Status
unaffected
Versions
Affected
  • From 2011.2.712 before 2026.1.225 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-331CWE-331 Insufficient Entropy
Type: CWE
CWE ID: CWE-331
Description: CWE-331 Insufficient Entropy
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-149CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-26CAPEC-26 Leveraging Race Conditions
CAPEC ID: CAPEC-149
Description: CAPEC-149 Explore for Predictable Temporary File Names
CAPEC ID: CAPEC-26
Description: CAPEC-26 Leveraging Race Conditions
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Monetary Authority of Singapore
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878
vendor-advisory
Hyperlink: https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@progress.com
Published At:25 Feb, 2026 | 15:20
Updated At:26 Feb, 2026 | 15:23

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Primary
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Progress Software Corporation
progress
>>telerik_ui_for_asp.net_ajax>>Versions before 2026.1.225(exclusive)
cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-331Primarysecurity@progress.com
CWE ID: CWE-331
Type: Primary
Source: security@progress.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878security@progress.com
Mitigation
Vendor Advisory
Hyperlink: https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878
Source: security@progress.com
Resource:
Mitigation
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2023-34363
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.21% / 43.79%
||
7 Day CHG~0.00%
Published-09 Jun, 2023 | 00:00
Updated-06 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. The vulnerability does not exist if SSL / TLS encryption is used.

Action-Not Available
Vendor-n/aProgress Software Corporation
Product-datadirect_odbc_oracle_wire_protocol_drivern/a
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Details not found